[go: up one dir, main page]

CN107111515B - Internet of things platform, equipment and method - Google Patents

Internet of things platform, equipment and method Download PDF

Info

Publication number
CN107111515B
CN107111515B CN201580069097.4A CN201580069097A CN107111515B CN 107111515 B CN107111515 B CN 107111515B CN 201580069097 A CN201580069097 A CN 201580069097A CN 107111515 B CN107111515 B CN 107111515B
Authority
CN
China
Prior art keywords
iot
hub
public
private key
iot hub
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201580069097.4A
Other languages
Chinese (zh)
Other versions
CN107111515A (en
Inventor
J·布里特
S·松村
H·福罗德
S·齐默尔曼
P·迈尔斯
S·扎维克
D·久田见
S·霍兰
J·李
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Afero Inc
Original Assignee
Afero Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US14/575,535 external-priority patent/US20160180100A1/en
Priority claimed from US14/575,463 external-priority patent/US9832173B2/en
Application filed by Afero Inc filed Critical Afero Inc
Publication of CN107111515A publication Critical patent/CN107111515A/en
Application granted granted Critical
Publication of CN107111515B publication Critical patent/CN107111515B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/42User authentication using separate channels for security data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06KGRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
    • G06K19/00Record carriers for use with machines and with at least a part designed to carry digital markings
    • G06K19/06Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code
    • G06K19/06009Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code with optically detectable marking
    • G06K19/06037Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code with optically detectable marking multi-dimensional coding
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/50Secure pairing of devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/70Services for machine-to-machine communication [M2M] or machine type communication [MTC]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Computing Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The invention discloses a platform, equipment and a method for implementing the Internet of things. For example, one embodiment of a system comprises: an internet of things (IoT) hub comprising a network interface that couples the IoT hub to an IoT service over a Wide Area Network (WAN) and programming logic that programs the identification device with one or more encryption keys that may be used to establish encrypted communications with the IoT device; and at least one IoT device that interfaces with the identification device after the IoT hub programs the identification device; wherein upon programming and interfacing with the identification device, the IoT device establishes a secure communication channel with the IoT hub and/or the IoT service using the one or more keys.

Description

Internet of things platform, equipment and method
Background
Technical Field
The present invention relates generally to the field of computer systems. More particularly, the present invention relates to the internet for a system and method for securely connecting network devices.
Description of the Related Art
The "internet of things" refers to the interconnection of uniquely identifiable embedded devices within the internet infrastructure. Finally, IoT is expected to lead to a new and wide variety of applications where almost any type of physical thing can provide information about itself or its surroundings and/or can be remotely controlled via a client device over the internet.
The development and adoption of the internet of things has been slow due to some of the problems associated with lack of connectivity, power and standardization. For example, one obstacle faced by IoT development and adoption is that there is no standard platform that allows developers to design and provide new IoT devices and services. To enter the IoT market, developers must design the entire IoT platform from scratch, including the network protocols and infrastructure, hardware, software, and services needed to support the required IoT implementation. Thus, each provider of IoT devices uses proprietary technology to design and connect IoT devices, which makes employing multiple types of IoT devices a burdensome task for end users. Another obstacle faced by IoT adoption is the difficulties associated with connection and power supply to IoT devices. For example, connecting appliances such as refrigerators, garage door switches, environmental sensors, home security sensors/controllers, etc. requires a power source to power each connected IoT device, and such power sources are often located inconveniently.
Drawings
The invention may be better understood from the following detailed description taken in conjunction with the following drawings, in which:
fig. 1A-1B illustrate different embodiments of an IoT system architecture;
fig. 2 illustrates an IoT device in accordance with one embodiment of the present invention;
fig. 3 illustrates an IoT hub in accordance with one embodiment of the present invention;
FIG. 4 illustrates a high level view of one embodiment of a security architecture;
fig. 5 illustrates one embodiment of an architecture in which keys are stored on IoT devices using a Subscriber Identity Module (SIM);
fig. 6A illustrates one embodiment in which an IoT device is registered with a barcode or QR code;
FIG. 6B illustrates an embodiment in which pairing is performed using a barcode or QR code;
fig. 7 illustrates one embodiment of a method of programming a SIM using an IoT hub;
fig. 8 illustrates one embodiment of a method for registering IoT devices with an IoT hub and an IoT service; and is
Fig. 9 illustrates one embodiment of a method of encrypting data to be transmitted to an IoT device.
Detailed Description
In the following description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the invention described below. It will be apparent, however, to one skilled in the art that embodiments of the invention may be practiced without some of these specific details. In other instances, well-known structures and devices are shown in block diagram form in order to avoid obscuring the underlying principles of embodiments of the present invention.
One embodiment of the present invention includes an internet of things (IoT) platform that developers can utilize to design and build new IoT devices and applications. In particular, one embodiment includes an underlying hardware/software platform for IoT devices that includes a predefined network protocol stack and an IoT hub through which the IoT devices couple to the internet. Further, one embodiment includes an IoT service through which IoT hubs and connected IoT devices may be accessed and managed as described below. Further, one embodiment of the IoT platform includes an IoT application or Web application (e.g., executing on a client device) to access and configure the IoT service, hub, and connected devices. Existing online retailers and other website operators can utilize the IoT platform described herein to easily provide unique IoT functionality for existing groups of users.
FIG. 1A shows an overview of an architectural platform on which embodiments of the present invention may be implemented. In particular, the illustrated embodiment includes multiple IoT devices 101-105 that are communicatively coupled to a central IoT hub 110 through a local communication channel 130, which is itself communicatively coupled to an IoT service 120 through the internet 220. Each of the IoT devices 101-105 may initially be paired with the IoT hub 110 (e.g., using the pairing techniques described below) to enable each of the local communication channels 130. In one embodiment, the IoT service 120 includes an end user database 122 for maintaining user account information and data collected from each user's IoT devices. For example, if the IoT device includes sensors (e.g., temperature sensors, accelerometers, thermal sensors, motion detectors, etc.), database 122 may be continuously updated to store data collected by IoT device 101 and 105. The data stored in the database 122 may then be accessed by end users via IoT applications or browsers installed on the user devices 135 (or via desktop or other client computer systems) and may be accessed by network clients (e.g., such as the websites 130 subscribing to the IoT service 120).
IoT devices 101-105 may be equipped with various types of sensors to collect information about themselves and their surroundings and provide the collected information to IoT services 120, user devices 135, and/or external websites 130 via IoT hub 110. Some of the IoT devices 101-105 may perform specified functions in response to control commands sent through the IoT hub 110. The following provides a number of specific examples of information and control commands collected by IoT devices 101-105. In one embodiment described below, IoT device 101 is a user input device designed to record user selections and send the user selections to IoT service 120 and/or a website.
In one embodiment, the IoT hub 110 includes a cellular radio to establish a connection to the internet 220 via a cellular service 115, such as a 4G (e.g., mobile WiMAX, LTE) or 5G cellular data service. Alternatively or in addition, the IoT hub 110 may include WiFi radios to establish WiFi connections through a WiFi access point or router 116 that couples the IoT hub 110 to the internet (e.g., via an internet service provider that provides internet services to end users). Of course, it should be noted that the underlying principles of the invention are not limited to any particular type of communication channel or protocol.
In one embodiment, IoT devices 101-105 are ultra-low power devices that can operate for long periods of time (e.g., years) using battery power. To conserve power, the local communication channel 130 may be implemented using a low power wireless communication technology such as bluetooth Low Energy (LE). In this embodiment, each of IoT devices 101-105 and IoT hub 110 are equipped with a bluetooth LE radio and protocol stack.
As described above, in one embodiment, the IoT platform includes an IoT application or Web application that executes on the user device 135 to allow the user to access and configure the connected IoT devices 101-105, IoT hub 110, and/or IoT service 120. In one embodiment, the application or Web application may be designed by the operator of the website 130 to provide IoT functionality to its user group. As shown, the website may maintain a user database 131 containing account records associated with each user.
Fig. 1B illustrates additional connection options for multiple IoT hubs 110-111, 190. In this embodiment, a single user may have multiple hubs 110-111 installed on site at a single customer premises 180 (e.g., the user's home or work site). This may be done, for example, to extend the wireless range required to connect all IoT devices 101-105. As shown, if a user has multiple hubs 110, 111, they may be connected via a local communication channel (e.g., Wifi, ethernet, powerline network, etc.). In one embodiment, each of the hubs 110 through 111 may establish a direct connection with the IoT service 120 through a cellular connection 115 or a WiFi connection 116 (not explicitly shown in fig. 1B). Alternatively or in addition, one of the IoT hubs, such as IoT hub 110, may act as a "master" hub that provides connectivity and/or local services to all other IoT hubs on the customer premises 180, such as IoT hub 111 (as shown by the dashed line connecting IoT hub 110 and IoT hub 111). For example, the primary IoT hub 110 may be the only IoT hub that establishes a direct connection with the IoT service 120. In one embodiment, only the "primary" IoT hub 110 is equipped with a cellular communication interface to establish a connection with the IoT service 120. As such, all communications between the IoT service 120 and the other IoT hubs 111 will flow through the primary IoT hub 110. As this role, the primary IoT hub 110 may have additional program code to perform filtering operations on data exchanged between the other IoT hubs 111 and the IoT service 120 (e.g., to serve some data requests locally, when possible).
Regardless of how IoT hubs 110-111 are connected, in one embodiment, IoT service 120 will logically associate the hubs with users and combine all attached IoT devices 101-105 under a single comprehensive user interface (and/or browser-based interface) that is accessible via the user devices that have installed application 135.
In this embodiment, the master IoT hub 110 and the one or more slave IoT hubs 111 may be connected through a local network, which may be a WiFi network 116, an ethernet network, and/or use a Power Line Communication (PLC) network (e.g., where all or part of the network operates over the user's power line). Additionally, for IoT hubs 110-111, each of IoT devices 101-105 may interconnect to IoT hubs 110-111 using any type of local network channel, such as WiFi, ethernet, PLC, or bluetooth LE.
Fig. 1B also shows an IoT hub 190 installed at the second subscriber premises 181. An almost unlimited number of such IoT hubs 190 may be installed and configured to collect data from IoT devices 191-192 at user premises around the world. In one embodiment, two customer premises 180 to 181 may be configured for the same user. For example, one customer premises 180 may be the user's main home, and the other customer premises 181 may be the user's vacation home. In this case, the IoT service 120 will logically associate the IoT hubs 110-111, 190 with the user and combine all attached IoT devices 101-105, 191-192 under a single comprehensive user interface (and/or browser-based interface) that is accessible via the user devices that have installed the application 135.
As shown in fig. 2, one exemplary embodiment of IoT device 101 includes a memory 210 for storing program code and data 201-203, and a low power microcontroller 200 for executing the program code and processing the data. The memory 210 may be a volatile memory such as a Dynamic Random Access Memory (DRAM) or may be a non-volatile memory such as a flash memory. In one embodiment, non-volatile memory can be used for the permanent storage device, and volatile memory can be used for executing program code and data at runtime. Further, memory 210 may be integrated within low power microcontroller 200 or may be coupled to low power microcontroller 200 via a bus or communication structure. The underlying principles of the invention are not limited to any particular implementation of memory 210.
As shown, the program code may include application code 203 that defines a set of application-specific functions to be performed by the IoT device 201, and library code 202 that includes a set of predefined building blocks that may be utilized by application developers of the IoT device 101. In one embodiment, the library code 202 includes a set of basic functions required to implement the IoT devices, such as a communication protocol stack 201 for enabling communication between each of the IoT devices 101 and the IoT hub 110. As noted above, in one embodiment, the communication protocol stack 201 comprises a bluetooth LE protocol stack. In this embodiment, the bluetooth LE radio and antenna 207 may be integrated within the low power microcontroller 200. However, the underlying principles of the invention are not limited to any particular communication protocol.
The particular embodiment shown in fig. 2 also includes a plurality of input devices or sensors 210 to receive user input and provide the user input to the low power microcontroller, which processes the user input according to the application code 203 and the library code 202. In one embodiment, each of the input devices includes an LED 209 to provide feedback to the end user.
In addition, the illustrated embodiment includes a battery 208 for powering the low power microcontroller. In one embodiment, a non-rechargeable button cell battery is used. However, in an alternative embodiment, an integrated rechargeable battery may be used (e.g., charged by connecting the IoT device to an ac power source (not shown)).
A speaker 205 for generating audio is also provided. In one embodiment, the low power microcontroller 299 includes audio decoding logic for decoding a compressed audio stream (e.g., such as an MPEG-4/Advanced Audio Coding (AAC) stream) to generate audio on the speaker 205. Alternatively, the low power microcontroller 200 and/or the application code/data 203 may include digitally sampled audio clips to provide verbal feedback to the end user when the user inputs a selection via the input device 210.
In one embodiment, one or more other/alternative I/O devices or sensors 250 may be included on IoT device 101 based on the particular application for which IoT device 101 is designed. For example, environmental sensors may be included to measure temperature, pressure, humidity, and the like. If the IoT device is used as a security device, a security sensor and/or a door lock opener may be included. Of course, these examples are provided for illustrative purposes only. The underlying principles of the invention are not limited to any particular type of IoT device. In fact, given the highly programmable nature of the low power microcontroller 200 equipped with library code 202, application developers can easily develop new application code 203 and new I/O devices 250 to interface with the low power microcontroller for almost any type of IoT application.
In one embodiment, low power microcontroller 200 also includes a secure key storage device for storing encryption keys used by embodiments described below (see, e.g., fig. 4-6 and/or associated text). Alternatively, the key may be protected in a Subscriber Identity Module (SIM) as described below.
In one embodiment, a wake-up receiver 207 is included to wake up the IoT device from an ultra-low power state that consumes little power. In one embodiment, the wake-up receiver 207 is configured to cause the IoT device 101 to exit the low-power state in response to a wake-up signal received from the wake-up transmitter 307 configured on the IoT hub 110 as shown in fig. 3. In particular, in one embodiment, the transmitter 307 and receiver 207 together form an electrically resonant transformer circuit, such as a tesla coil. In operation, when the hub 110 needs to wake the IoT device 101 from a very low power state, energy is transmitted from the transmitter 307 to the receiver 207 via radio frequency signals. Due to this energy transfer, IoT device 101 may be configured to consume little power when it is in a low power state because it does not need to continuously "listen" for signals from the hub (as is the case with network protocols that allow devices to wake up via network signals). More specifically, the microcontroller 200 of the IoT device 101 may be configured to wake up after being effectively powered down by using energy transmitted electrically from the transmitter 307 to the receiver 207.
As shown in fig. 3, IoT hub 110 also includes memory 317 for storing program code and data 305, and hardware logic 301, such as a microcontroller, for executing the program code and processing the data. A Wide Area Network (WAN) interface 302 and an antenna 310 couple the IoT hub 110 to the cellular service 115. Alternatively, as described above, the IoT hub 110 may also include a local network interface (not shown), such as a WiFi interface (and WiFi antenna) or an ethernet interface, for establishing a local network communication channel. In one embodiment, the hardware logic 301 also includes a secure key storage for storing encryption keys used by embodiments described below (see, e.g., fig. 4-6 and associated text). Alternatively, the key may be protected in a Subscriber Identity Module (SIM) as described below.
The local communication interface 303 and the antenna 311 establish a local communication channel with each of the IoT devices 101 to 105. As described above, in one embodiment, the local communication interface 303/antenna 311 implements the bluetooth LE standard. However, the underlying principles of the invention are not limited to any particular protocol for establishing local communication channels with IoT devices 101-105. Although shown as separate units in fig. 3, the WAN interface 302 and/or the local communication interface 303 may be embedded within the same chip as the hardware logic 301.
In one embodiment, the program code and data includes a communications protocol stack 308, which may include separate stacks for communicating over the local communications interface 303 and the WAN interface 302. Further, device pairing program code and data 306 may be stored in memory to allow the IoT hub to pair with a new IoT device. In one embodiment, each new IoT device 101-105 is assigned a unique code that is transmitted to the IoT hub 110 during the pairing process. For example, the unique code may be embedded in a barcode on the IoT device and may be read by the barcode reader 106 or may be transmitted over the local communication channel 130. In an alternative embodiment, the unique ID code is magnetically embedded on the IoT device, and the IoT hub has a magnetic sensor, such as a radio frequency ID (rfid) or Near Field Communication (NFC) sensor, to detect the code when the IoT device 101 moves within a few inches from the IoT hub 110.
In one embodiment, once the unique ID has been transmitted, the IoT hub 110 may verify the unique ID by: query a local database (not shown), perform a hash to verify whether the code is acceptable, and/or communicate with the IoT service 120, the user device 135, and/or the website 130 to verify the ID code. In one embodiment, once authenticated, IoT hub 110 pairs with IoT device 101 and stores the pairing data in memory 317 (which, as described above, may comprise non-volatile memory). Once pairing is complete, IoT hub 110 may connect with IoT device 101 to perform the various IoT functions described herein.
In one embodiment, the organization running the IoT service 120 may provide the IoT hub 110 and a basic hardware/software platform to allow developers to easily design new IoT services. In particular, in addition to the IoT hub 110, a Software Development Kit (SDK) may be provided to developers to update the program code and data 305 executing within the hub 110. Additionally, for IoT devices 101, the SDK may include a broad set of library code 202 designed for the underlying IoT hardware (e.g., the low power microcontroller 200 and other components shown in fig. 2) to facilitate designing a variety of different types of applications 101. In one embodiment, the SDK includes a graphical design interface in which developers need only specify inputs and outputs for IoT devices. All networking code has been prepared for the developer, including the communication stack 201 that allows the IoT device 101 to connect to the hub 110 and the service 120. Further, in one embodiment, the SDK also includes library code bases for facilitating the design of applications for mobile devices (e.g., iPhone and Android devices).
In one embodiment, IoT hub 110 manages a continuous bi-directional data flow between IoT devices 101-105 and IoT service 120. In the event that real-time updates to/from IoT devices 101-105 are needed (e.g., if a user needs to view the current state of security devices or environmental readings), the IoT hub may maintain open TCP sockets to provide periodic updates to the user device 135 and/or the external website 130. The particular networking protocol used to provide the update may be tailored to the needs of the underlying application. For example, in some cases, if continuous bi-directional flow may not make sense, a simple request/response protocol may be used to gather information when needed.
In one embodiment, both IoT hub 110 and IoT devices 101-105 are able to be automatically upgraded over a network. In particular, when the IoT hub 110 has a new update available, it may automatically download and install the update from the IoT service 120. It may first copy the updated code into local memory, run and validate the update, and then replace the older program code. Similarly, when updates are available for each of the IoT devices 101-105, the updates may be initially downloaded by the IoT hub 110 and pushed to each of the IoT devices 101-105. Each IoT device 101-105 may then apply the update in a manner similar to that described above for the IoT hub and report the results of the update back to the IoT hub 110. If the update is successful, the IoT hub 110 may delete the update from its memory and record the latest code version installed on each IoT device (e.g., so that it can continue to check whether each IoT device has a new update).
In one embodiment, the IoT hub 110 is powered via an ac power source. In particular, the IoT hub 110 may include a power supply unit 390 having a transformer for converting an ac voltage provided via an ac power line to a lower dc voltage.
Fig. 4 illustrates a high-level architecture that uses Public Key Infrastructure (PKI) techniques and/or symmetric key exchange/encryption techniques to encrypt communications between IoT services 120, IoT hubs 110, and IoT devices 101 and 102.
An implementation using a public/private key pair will be described first, followed by an implementation using symmetric key exchange/encryption techniques. Specifically, in embodiments using PKI, a unique public/private key pair is associated with each IoT device 101 and 102, each IoT hub 110, and the IoT service 120. In one embodiment, when a new IoT hub 110 is set up, its public key is provided to the IoT service 120, and when a new IoT device 101 is set up, its public key is provided to both the IoT hub 110 and the IoT service 120. Various techniques for securely exchanging public keys between devices are described below. In one implementation, all public keys are signed by a master key known to all receiving devices (i.e., a form of certificate) so that any receiving device can verify the public key by verifying the signature. These certificates would then be exchanged instead of just the original public key.
As shown, in one embodiment, each IoT device 101, 102 includes a security key storage 401, 403, respectively, for securely storing the private key of each device. The security logic 402, 404 then utilizes the securely stored private key to perform the encryption/decryption operations described herein. Similarly, IoT hub 110 includes a secure storage 411 for storing IoT hub private keys and public keys of IoT device 101 and IoT service 120; and security logic 412 to perform encryption/decryption operations using the key. Finally, IoT service 120 may include a secure storage 421 for securely storing its own private key, public keys of each IoT device and IoT hub, and security logic 413 for using the keys to encrypt/decrypt communications with the IoT hubs and devices. In one embodiment, when the IoT hub 110 receives the public key certificate from the IoT device, it may verify it (e.g., by verifying the signature using the master key as described above), then extract the public key therefrom and store it in its security key storage 411.
For example, in one embodiment, when IoT service 120 needs to transmit commands or data (e.g., a command to open a door lock, a request to read a sensor, data to be processed/displayed by an IoT device, etc.) to IoT device 101, security logic 413 encrypts the data/commands with the IoT device 101's public key to generate an encrypted IoT device packet. In one embodiment, it then encrypts the IoT device packet with the public key of the IoT hub 110 to generate an IoT hub packet and transmits the IoT hub packet to the IoT hub 110. In one embodiment, service 120 signs the encrypted message with its private or master key as described above, enabling device 101 to verify that it is receiving an unaltered message from a trusted source. Device 101 may then verify the signature using a public key corresponding to the private key and/or the master key. As described above, symmetric key exchange/encryption techniques may be used instead of public/private key encryption. In these embodiments, rather than storing one key privately and providing the corresponding public key to other devices, each device may be provided with a copy of the same symmetric key for use in encrypting and verifying signatures. One example of a symmetric key algorithm is Advanced Encryption Standard (AES), but the underlying principles of the invention are not limited to any type of specific symmetric key.
Using the symmetric key implementation, each device 101 enters a secure key exchange protocol to exchange symmetric keys with the IoT hub 110. Secure key provisioning protocols, such as Dynamic Symmetric Key Provisioning Protocol (DSKPP), may be used to exchange keys over a secure communication channel (e.g., see the request for comments (RFC) 6063). However, the underlying principles of the invention are not limited to any particular key provisioning protocol.
Once the symmetric keys have been exchanged, they may be used by each device 101 and IoT hub 110 to encrypt communications. Similarly, the IoT hub 110 and the IoT service 120 may perform a secure symmetric key exchange and then use the exchanged symmetric key to encrypt communications. In one embodiment, new symmetric keys are periodically exchanged between device 101 and hub 110 and between hub 110 and IoT service 120. In one embodiment, a new symmetric key is exchanged with each new communication session between device 101, hub 110, and service 120 (e.g., a new key is generated and securely exchanged for each communication session). In one embodiment, if the security module 412 in the IoT hub is trusted, the service 120 may negotiate a session key with the hub security module 412, and then the security module 412 may negotiate a session key with each device 120. Messages from service 120 are then decrypted and authenticated in hub security module 412 and then re-encrypted for transmission to device 101.
In one embodiment, to prevent affecting hub security module 412, a (persistent) installation key may be negotiated once between device 101 and service 120 at installation. When sending a message to device 101, service 120 may first encrypt/MAC with this device installation key and then encrypt/MAC with the hub's session key. The hub 110 would then authenticate and extract the encrypted device blob and send it to the device.
In one embodiment of the invention, a counter mechanism is implemented to prevent replay attacks. For example, each successive communication from device 101 to hub 110 (or vice versa) may be assigned a continuously increasing counter value. Both hub 110 and device 101 will track this value and verify that the value is correct in each successive communication between the devices. The same techniques may be implemented between hub 110 and service 120. Using counters in this manner may make spoofing communications between each device more difficult (as the counter values may be incorrect). However, even without this measure, the shared installation key between the service and the devices protects all devices from network (hub) wide attacks.
In one embodiment, when encrypted using the public/private key, the IoT hub 110 uses its private key to decrypt the IoT hub packet and generate and transmit an encrypted IoT device packet to the associated IoT device 101. IoT device 101 then decrypts the IoT device packet using its private key to generate commands/data originating from IoT service 120. It may then process the data and/or execute the command. With symmetric encryption, each device will encrypt and decrypt with a shared symmetric key. In either case, each transmitting device may also sign the message with its private key so that the receiving device can verify its authenticity.
Communications from IoT device 101 to IoT hub 110 and to IoT service 120 may be encrypted using different sets of key pairs. For example, with a public/private key arrangement, in one embodiment, the security logic 402 on the IoT device 101 uses the public key of the IoT hub 110 to encrypt data packets sent to the IoT hub 110. The security logic 412 on the IoT hub 110 may then decrypt the data packet with the IoT hub's private key. Similarly, security logic 402 on IoT device 101 and/or security logic 412 on IoT hub 110 may encrypt data packets sent to IoT service 120 with the public key of IoT service 120 (which may then be decrypted by security logic 413 on IoT service 120 using the service's private key). Using the symmetric key, device 101 and hub 110 may share the symmetric key, while hub and service 120 may share different symmetric keys.
While specific details are set forth in the above description, it should be noted that the underlying principles of the invention may be implemented using a variety of different encryption techniques. For example, while some embodiments described above use asymmetric public/private key pairs, alternative embodiments may use symmetric keys that are securely exchanged between the various IoT devices 101 and 102, the IoT hub 110, and the IoT service 120. Further, in some embodiments, the data/command itself is not encrypted, but a signature is generated on the data/command (or other data structure) using a key. The recipient can then use his key to verify the signature.
As shown in fig. 5, in one embodiment, the security key storage on each IoT device 101 is implemented with a programmable Subscriber Identity Module (SIM) 501. In this embodiment, the IoT device 101 may be initially provisioned to an end user with an unprogrammed SIM card 501 that is seated within the SIM interface 500 on the IoT device 101. To program the SIM with a set of one or more encryption keys, the user takes the programmable SIM card 501 from the SIM interface 500 and inserts it into the SIM programming interface 502 on the IoT hub 110. The programming logic 525 on the IoT hub then securely programs the SIM card 501 to register/pair the IoT device 101 with the IoT hub 110 and the IoT service 120. In one embodiment, the public/private key pair may be randomly generated by the programming logic 525, and then the public key of the key pair may be stored in the security storage 411 of the IoT hub while the private key may be stored within the programmable SIM 501. Further, programming logic 525 may store public keys of IoT hub 110, IoT service 120, and/or any other IoT device 101 on SIM card 501 (to be used by security logic 402 on IoT device 101 to encrypt outgoing data). Once the SIM 501 is programmed, the new IoT device 101 may be provisioned with the IoT service 120 using the SIM as a security identifier (e.g., using existing techniques to register the device using the SIM). After provisioning, both IoT hub 110 and IoT service 120 will securely store a copy of the IoT device's public key for use in encrypting communications with IoT device 101.
The techniques described above in connection with fig. 5 provide great flexibility in providing new IoT devices to end users. Rather than requiring the user to register each SIM directly with a particular service provider at the time of sale/purchase (as is currently done), the SIM may be programmed directly by the end user via the IoT hub 110 and the programming results may be securely transmitted to the IoT device 120. As a result, new IoT devices 101 may be sold online or from local retailers to end users and provided with IoT services 120 securely later.
Although the registration and encryption techniques are described above in the specific context of a SIM (subscriber identity module), the underlying principles of the invention are not limited to "SIM" devices. Rather, the underlying principles of the invention may be implemented using any type of device having a secure storage for storing a set of encryption keys. Further, while the above embodiments include removable SIM devices, in one embodiment, the SIM devices are not removable, but the IoT devices themselves may be inserted within the programming interface 502 of the IoT hub 110.
In one embodiment, rather than requiring the user to program the SIM (or other device), the SIM is preprogrammed into the IoT device 101 prior to distribution to the end user. In this embodiment, when a user sets up an IoT device 101, encryption keys may be securely exchanged between the IoT hub/IoT service 120 and the new IoT device 101 using the various techniques described herein.
For example, as shown in fig. 6A, each IoT device 101 or SIM401 may be packaged with a barcode or QR code 601 that uniquely identifies the IoT device 101 and/or SIM 401. In one embodiment, the barcode or QR code 601 includes an encoded representation of a public key for the IoT device 101 or SIM 401. Alternatively, the barcode or QR code 601 may be used by the IoT hub 110 and/or the IoT service 120 to identify or generate the public key (e.g., to serve as a pointer to a public key that has been securely stored in the secure storage). The barcode or QR code 601 may be printed on a separate card (as shown in fig. 6A) or may be printed directly on the IoT device itself. Regardless of where the barcode is printed, in one embodiment, IoT hub 110 is equipped with barcode reader 206 for reading the barcode and providing the resulting data to security logic 412 on IoT hub 110 and/or security logic 413 on IoT service 120. Security logic 412 on IoT hub 110 may then store the public key for the IoT device within its security key storage 411, and security logic 413 on IoT service 120 may store the public key (to be used for subsequent encrypted communications) within its security storage 421.
In one embodiment, the data contained in the barcode or QR code 601 may also be captured via a user device 135 (e.g., such as an iPhone or Android device) installed with an IoT application or browser-based applet designed by the IoT service provider. Once captured, the barcode data may be securely transmitted to the IoT service 120 over a secure connection, such as a Secure Sockets Layer (SSL) connection, for example. The barcode data may also be provided from the client device 135 to the IoT hub 110 over a secure local connection (e.g., over a local WiFi or bluetooth connection).
The security logic 402 on the IoT device 101 and the security logic 412 on the IoT hub 110 may be implemented using hardware, software, firmware, or any combination thereof. For example, in one embodiment, security logic 402, 412 is implemented within a chip (e.g., a Bluetooth LE chip if local channel 130 is a Bluetooth LE) used to establish local communication channel 130 between IoT device 101 and IoT hub 110. Regardless of the specific location of the security logic 402, 412, in one embodiment, the security logic 402, 412 is designed to establish a secure execution environment for executing a particular type of program code. This can be achieved, for example, by using TrustZone technology (available on some ARM processors) and/or trusted execution technology (designed by Intel). Of course, the underlying principles of the invention are not limited to any particular type of secure execution technology.
In one embodiment, a barcode or QR code 601 may be used to pair each IoT device 101 with an IoT hub 110. For example, rather than using the standard wireless pairing procedure currently used to pair Bluetooth LE devices, IoT hub 110 may be provided with a pairing code embedded within barcode or QR code 601 to pair the IoT hub with a corresponding IoT device.
Fig. 6B illustrates an embodiment in which the barcode reader 206 on the IoT hub 110 captures a barcode/QR code 601 associated with the IoT device 101. As described above, the barcode/QR code 601 may be printed directly on the IoT device 101 or may be printed on a separate card provided with the IoT device 101. In either case, the barcode reader 206 reads the pairing code from the barcode/QR code 601 and provides the pairing code to the local communication module 680. In one embodiment, local communication module 680 is a Bluetooth LE chip and associated software, although the underlying principles of the invention are not limited to any particular protocol standard. Once the pairing code is received, it is stored in a secure storage device containing pairing data 685, and IoT device 101 and IoT hub 110 are automatically paired. Each time an IoT hub is paired with a new IoT device in this manner, pairing data for that pairing is stored within secure storage 685. In one embodiment, once the local communication module 680 of the IoT hub 110 receives the pairing code, it may use the code as a key to encrypt communications with the IoT device 101 over the local wireless channel.
Similarly, on the IoT device 101 side, the local communication module 690 stores pairing data representing pairing with the IoT hub in the local secure storage 695. The pairing data 695 may include a pre-programmed pairing code identified in the barcode/QR code 601. Pairing data 695 may also include pairing data (e.g., additional keys for encrypting communications with IoT hub 110) received from local communication module 680 on IoT hub 110 that is needed to establish a secure local communication channel.
The barcode/QR code 601 may then be used to pair locally in a much more secure manner than current wireless pairing protocols, since the pairing code is not transmitted over the air. Further, in one embodiment, the same barcode/QR code 601 used for pairing may be used to identify the encryption keys used to construct the secure connection from IoT device 101 to IoT hub 110 and from IoT hub 110 to IoT service 120.
A method for programming a SIM card according to one embodiment of the present invention is shown in fig. 7. The method may be implemented within the system architecture described above, but is not limited to any particular system architecture.
At 701, the user receives a new IoT device with a blank SIM card, and at 702, the user inserts the blank SIM card into the IoT hub. At 703, the user programs the blank SIM card with a set of one or more encryption keys. For example, as described above, in one embodiment, the IoT hub may randomly generate a public/private key pair and store the private key on the SIM card and the public key in its local secure storage. Further, at 704, at least the public key is transmitted to the IoT service such that it can be used to identify the IoT device and establish encrypted communications with the IoT device. As described above, in one embodiment, programmable devices other than "SIM" cards may be used to perform the same functions as the SIM card in the method shown in FIG. 7.
A method of integrating a new IoT device into a network is shown in fig. 8. The method may be implemented within the system architecture described above, but is not limited to any particular system architecture.
At 801, a user receives a new IoT device that has been pre-assigned an encryption key. At 802, a key is securely provided to an IoT hub. As described above, in one embodiment, this involves reading a barcode associated with an IoT device to identify the public key of the public/private key pair assigned to that device. The barcode may be read directly by the IoT hub or captured via the mobile device via an application or browser. In alternative embodiments, a secure communication channel, such as a Bluetooth LE channel, Near Field Communication (NFC) channel, or secure WiFi channel, may be established between the IoT device and the IoT hub to exchange the key. Regardless of how the key is transmitted, once received, it is stored in the security key storage of the IoT hub device. As described above, various security enforcement techniques may be used on the IoT hub to store and protect keys, such as Secure enclosures, Trusted Execution Technology (TXT), and/or Trustzone. Further, at 803, the key is securely transmitted to the IoT service, which stores the key in its own secure key storage. It may then use the key to encrypt communications with the IoT device. Also, the exchange may be implemented with a certificate/signed key. Within hub 110, it is particularly important to prevent modification/addition/removal of stored keys.
One method of securely transmitting commands/data to IoT devices using public/private keys is illustrated in fig. 9. The method may be implemented within the system architecture described above, but is not limited to any particular system architecture.
At 901, the IoT service encrypts the data/command with an IoT device public key to produce an IoT device packet. It then encrypts the IoT device packet with the public key of the IoT hub to produce an IoT hub packet (e.g., to produce an IoT hub wrapper around the IoT device packet). At 902, an IoT service transmits an IoT hub packet to an IoT hub. At 903, the IoT hub decrypts the IoT hub packet with the IoT hub's private key to generate an IoT device packet. It then transmits the IoT device packet to the IoT device at 904, which decrypts the IoT device packet with the IoT device private key at 905 to generate the data/command. At 906, the IoT device processes the data/command.
In embodiments using symmetric keys, a symmetric key exchange may be negotiated between each device (e.g., between each device and the hub and the service). Once the key exchange is complete, each transmitting device encrypts and/or signs each transmission with a symmetric key before transmitting the data to the receiving device.
Embodiments of the present invention may include various steps as described above. These steps may be embodied in machine-executable instructions, which may be used to cause a general-purpose processor or special-purpose processor to perform the steps. Alternatively, these steps may be performed by specific hardware components that contain hardwired logic for performing the steps, or by any combination of programmed computer components and custom hardware components.
As described herein, instructions may refer to a particular hardware configuration, such as an Application Specific Integrated Circuit (ASIC), configured to perform certain operations or having predetermined functions or software instructions stored in a memory embodied in a non-transitory computer readable medium. Thus, the techniques illustrated in the figures can be implemented using code and data stored and executed on one or more electronic devices (e.g., an end station, a network element, etc.). Such electronic devices store and communicate (internally and/or with other electronic devices on a network) code and data using a computer-machine-readable medium, such as non-transitory computer-machine-readable storage media (e.g., magnetic disks; optical disks; random access memories; read only memories; flash memory devices; phase change memories) and transitory computer-machine-readable communication media (e.g., electrical, optical, acoustical or other forms of propagated signals-such as carrier waves, infrared signals, digital signals, etc.). Further, such electronic devices typically include a set of one or more processors connected to one or more other components, such as one or more storage devices (non-transitory machine-readable storage media), user input/output devices (e.g., a keyboard, a touchscreen, and/or a display), and network connections. The coupling of the processor book and other components is typically done through one or more buses and bridges (also called bus controllers). The storage devices and the signals carrying network traffic represent one or more machine-readable storage media and machine-readable communication media, respectively. Thus, the memory device of a given electronic device typically stores code and/or data for execution on a set of one or more processors of the electronic device. Of course, different combinations of software, firmware, and/or hardware may be used to implement one or more portions of embodiments of the invention.
Throughout the detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the present invention. It will be apparent, however, to one skilled in the art that the present invention may be practiced without some of these specific details. In some instances, well-known structures and functions have not been described in detail so as not to obscure the subject matter of the present invention. Accordingly, the scope and spirit of the invention should be determined from the appended claims.

Claims (15)

1. A system for securely connecting network devices, comprising:
a hardware Internet of things (IoT) hub including a network interface to couple the IoT hub to an IoT service over a Wide Area Network (WAN), an
Programming logic of the IoT hub to program an identification device with one or more encryption keys that can be used to establish encrypted communications with an IoT device; and
the IoT device interfacing with the identification device after the IoT hub has programmed the identification device;
wherein the IoT device establishes a secure communication channel with the IoT hub and the IoT service using the one or more keys once the identification device is programmed and interfaced with the IoT device;
wherein the IoT hub to the program the identification device comprises to generate a public/private key pair and to store at least a private key of the public/private key pair on the identification device;
wherein said programming the identification device further comprises storing at least the public key in a secure storage on the IoT hub;
the IoT hub securely forwards the public key with the corresponding signature to the IoT service over the network interface and further securely forwards an IoT hub public key with the corresponding signature associated with the IoT hub and corresponding to an IoT hub private key; and
wherein to securely transmit commands or data to the IoT device, the IoT service encrypts the commands or data with the public key and generates a first signature to generate an IoT device packet, and then encrypts the IoT device packet with the IoT hub public key and generates a second signature to generate an IoT hub packet.
2. The system of claim 1, wherein the identification device comprises a Subscriber Identity Module (SIM).
3. The system as in claim 1 wherein the identification device is attached to the IoT device.
4. The system as in claim 1 wherein the IoT hub decrypts the IoT hub packet and verifies the second signature with the IoT hub private key to generate the IoT device packet and forwards the IoT device packet to the IoT device, the IoT device verifying the first signature and decrypting the IoT device packet using the private key.
5. The system of claim 1, wherein the identification means comprises a secure key storage for storing the private key provided by the programming logic.
6. A system for securely connecting network devices, comprising:
a hardware Internet of things (IoT) hub including a network interface to couple the IoT hub to an IoT service over a Wide Area Network (WAN), an
A local interface on the IoT hub to receive one or more encryption keys that can be used to establish a secure communication channel with an IoT device;
wherein the IoT hub and the IoT service establish the secure communication channel with the IoT device using the one or more encryption keys once the IoT hub has received the one or more encryption keys; and
wherein a first public/private key pair is associated with the IoT device, and wherein the IoT hub receives at least the public key of the first public/private key pair and forwards the public key to the IoT service;
wherein a second public/private key pair is associated with the IoT hub, and wherein the IoT hub provides at least the public key of the second public/private key pair to the IoT device and the IoT service;
wherein the IoT device encrypts communications directed to the IoT hub using the public key of the second public/private key pair, and wherein the IoT hub and the IoT service encrypt communications directed to the IoT device using the public key of the first public/private key pair; and
wherein to securely transmit commands or data to the IoT device, the IoT service encrypts the commands or data with the public key and generates a first signature to generate an IoT device packet, and then encrypts the IoT device packet with the IoT hub public key and generates a second signature to generate an IoT hub packet.
7. The system of claim 6, wherein the local interface comprises a barcode or QR code reader for reading a barcode or QR code used to identify the one or more encryption keys.
8. The system as in claim 6 wherein the lot hub securely forwards the public keys of the first and second public/private key pairs to the lot service.
9. The system as in claim 6 wherein the IoT service utilizes the public key of the first public/private key pair to generate a signature to be transmitted with each command or data and wherein the IoT device utilizes the private key of the first public/private key pair to verify the signature.
10. The system as in claim 6 wherein the IoT service includes a sequence number or random number with each command or data transmitted to the IoT device that the IoT device is to verify.
11. The system as in claim 6 wherein the IoT hub decrypts the IoT hub packet with the private key of the second public/private key pair to generate the IoT device packet and forwards the IoT device packet to the IoT device, wherein the IoT device decrypts the IoT device packet using the private key of the first public/private key pair.
12. The system of claim 6, wherein the local interface comprises a Bluetooth Low Energy (LE) communication channel or a WiFi communication channel.
13. A method for securely connecting network devices, comprising:
providing an Internet of things (IoT) hub, the IoT hub including a network interface to couple the IoT hub to an IoT service over a Wide Area Network (WAN), an
Programming, by the IoT hub, an identification device to include one or more encryption keys usable to establish an encrypted communication channel with an IoT device; and
interfacing the IoT device with the identification device after the programming of the identification device by the IoT hub;
wherein the IoT device establishes a secure communication channel with the IoT hub and the IoT service using the one or more keys upon programming the identification device and interfacing with the IoT device;
wherein the IoT hub to the program the identification device comprises to generate a public/private key pair and to store at least a private key of the public/private key pair on the identification device;
wherein said programming the identification device further comprises storing at least the public key in a secure storage on the IoT hub;
the IoT hub securely forwards the public key with the corresponding signature to the IoT service over the network interface and further securely forwards an IoT hub public key with the corresponding signature associated with the IoT hub and corresponding to an IoT hub private key; and
wherein to securely transmit commands or data to the IoT device, the IoT service encrypts the commands or data with the public key and generates a first signature to generate an IoT device packet, and then encrypts the IoT device packet with the IoT hub public key and generates a second signature to generate an IoT hub packet.
14. The method of claim 13, wherein the identification device comprises a Subscriber Identity Module (SIM).
15. The method as in claim 13 wherein the identification device is attached to the IoT device.
CN201580069097.4A 2014-12-18 2015-12-14 Internet of things platform, equipment and method Active CN107111515B (en)

Applications Claiming Priority (5)

Application Number Priority Date Filing Date Title
US14/575,535 2014-12-18
US14/575,535 US20160180100A1 (en) 2014-12-18 2014-12-18 System and method for securely connecting network devices using optical labels
US14/575,463 US9832173B2 (en) 2014-12-18 2014-12-18 System and method for securely connecting network devices
US14/575,463 2014-12-18
PCT/US2015/065539 WO2016100200A1 (en) 2014-12-18 2015-12-14 Internet of things platforms, apparatuses, and methods

Publications (2)

Publication Number Publication Date
CN107111515A CN107111515A (en) 2017-08-29
CN107111515B true CN107111515B (en) 2020-11-10

Family

ID=56127426

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201580069097.4A Active CN107111515B (en) 2014-12-18 2015-12-14 Internet of things platform, equipment and method

Country Status (4)

Country Link
JP (1) JP6596091B2 (en)
KR (1) KR102520088B1 (en)
CN (1) CN107111515B (en)
WO (1) WO2016100200A1 (en)

Families Citing this family (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10863234B2 (en) 2009-03-03 2020-12-08 Mobilitie, Llc System and method for secure appliance operation
US10798216B2 (en) * 2016-10-15 2020-10-06 Microsoft Technology Licensing, Llc Automatic provisioning of IoT devices
KR101857392B1 (en) 2017-01-03 2018-06-19 주식회사 엘지화학 Method for preparing modified conjugated diene polymer
US12256024B2 (en) 2017-06-21 2025-03-18 Microsoft Technology Licensing, Llc Device provisioning
US11374760B2 (en) 2017-09-13 2022-06-28 Microsoft Technology Licensing, Llc Cyber physical key
KR102024376B1 (en) * 2017-12-14 2019-09-23 아주대학교산학협력단 Method of bootstrapping of internet of thing device
KR102348078B1 (en) * 2018-01-12 2022-01-10 삼성전자주식회사 User terminal device, electronic device, system comprising the same and control method thereof
MX391370B (en) * 2018-04-09 2025-03-21 Ip Invest Holdings Llc System and method for secure appliance operation
US20210176641A1 (en) * 2018-05-03 2021-06-10 Telefonaktiebolaget Lm Ericsson (Publ) Device Enrollment using Serialized Application
RU2695487C1 (en) * 2018-09-26 2019-07-23 Олег Дмитриевич Гурин Method and system for interaction of devices of the internet of things (iot)
US10798572B2 (en) 2018-10-25 2020-10-06 Ioxt, Llc System and method for secure appliance operation
CN113518056A (en) * 2020-04-09 2021-10-19 武汉慧禹信息科技有限公司 Safe transmission method for link of Internet of things
EP4565003A3 (en) 2021-03-04 2025-07-02 SSenStone Inc. Sim card apparatus for verifying authentication virtual code generated for security of iot device
WO2022186654A1 (en) * 2021-03-04 2022-09-09 주식회사 센스톤 Sim card apparatus for verifying authentication virtual code generated for security of iot device
JP2023064550A (en) * 2021-10-26 2023-05-11 日本電信電話株式会社 Communication system, communication method and program

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7165180B1 (en) * 2001-11-27 2007-01-16 Vixs Systems, Inc. Monolithic semiconductor device for preventing external access to an encryption key
CN101145914A (en) * 2006-07-17 2008-03-19 捷讯研究有限公司 Automatic management of security information for a security token access device with multiple connections
CN103166919A (en) * 2011-12-13 2013-06-19 中国移动通信集团黑龙江有限公司 Method and system for information transmission of Internet of Things
CN103609087A (en) * 2011-06-08 2014-02-26 德国捷德有限公司 Methods and devices for ota management of subscriber identity modules

Family Cites Families (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP3802023B2 (en) * 2003-10-24 2006-07-26 松下電器産業株式会社 Mail order method
JP5199132B2 (en) * 2006-03-16 2013-05-15 ブリティッシュ・テレコミュニケーションズ・パブリック・リミテッド・カンパニー Method, apparatus, software for authentication of a device temporarily provided with a SIM to store a challenge response
US8249553B2 (en) * 2008-03-04 2012-08-21 Alcatel Lucent System and method for securing a base station using SIM cards
EP2172862A1 (en) * 2008-10-02 2010-04-07 Broadcom Corporation Secure virtual machine manager
KR20100052271A (en) * 2008-11-10 2010-05-19 삼성전자주식회사 Method and apparatus of communication security for personal health information
JP5250456B2 (en) * 2009-03-10 2013-07-31 株式会社日立製作所 Communication equipment system and card type equipment
US9729516B2 (en) * 2010-04-09 2017-08-08 Gemalto Sa Method of machine-to-machine communication
CN102238203A (en) * 2010-04-23 2011-11-09 中兴通讯股份有限公司 Internet of things service realization method and system
CN103635940A (en) * 2011-05-02 2014-03-12 阿派基公司 Systems and methods for controlling a locking mechanism using a portable electronic device
US9105025B2 (en) * 2011-10-17 2015-08-11 Capital One Financial Corporation Enhanced near field communications attachment
CN202364249U (en) * 2011-11-07 2012-08-01 曹庆瑞 Home furnishing intelligent Internet of Things management system
US20130342314A1 (en) * 2012-06-22 2013-12-26 Gun Chen Smart lock structure and operating method thereof
CA2878363A1 (en) * 2012-07-09 2014-01-16 Debiotech S.A. Communication secured between a medical device and its remote device
WO2014022856A1 (en) * 2012-08-03 2014-02-06 ENNIS, Louis, C. Mobile social media platform and devices
WO2014148960A1 (en) * 2013-03-22 2014-09-25 Telefonaktiebolaget L M Ericsson (Publ) Communication apparatus, control method thereof, and computer program thereof
US9930142B2 (en) * 2013-05-24 2018-03-27 Hand Held Products, Inc. System for providing a continuous communication link with a symbol reading device
US9860235B2 (en) * 2013-10-17 2018-01-02 Arm Ip Limited Method of establishing a trusted identity for an agent device
US20150121470A1 (en) * 2013-10-25 2015-04-30 Qualcomm Incorporated Peer-to-peer onboarding of internet of things (iot) devices over various communication interfaces

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7165180B1 (en) * 2001-11-27 2007-01-16 Vixs Systems, Inc. Monolithic semiconductor device for preventing external access to an encryption key
CN101145914A (en) * 2006-07-17 2008-03-19 捷讯研究有限公司 Automatic management of security information for a security token access device with multiple connections
CN103609087A (en) * 2011-06-08 2014-02-26 德国捷德有限公司 Methods and devices for ota management of subscriber identity modules
CN103166919A (en) * 2011-12-13 2013-06-19 中国移动通信集团黑龙江有限公司 Method and system for information transmission of Internet of Things

Also Published As

Publication number Publication date
JP2018504033A (en) 2018-02-08
CN107111515A (en) 2017-08-29
JP6596091B2 (en) 2019-10-23
KR102520088B1 (en) 2023-04-07
KR20170097143A (en) 2017-08-25
WO2016100200A1 (en) 2016-06-23

Similar Documents

Publication Publication Date Title
US9832173B2 (en) System and method for securely connecting network devices
CN107111515B (en) Internet of things platform, equipment and method
US9894473B2 (en) System and method for securely connecting network devices using optical labels
US11683307B2 (en) System and method for automatic wireless network authentication
US10841759B2 (en) Securely providing a password using an internet of things (IoT) system
US10659961B2 (en) Apparatus and method for sharing WiFi security data in an internet of things (IoT) system
US10613499B2 (en) System and method for virtual internet of things (IoT) devices and hubs
KR102723973B1 (en) Device and method for establishing a secure communication channel in an Internet of Things (IoT) system
US10524119B2 (en) Apparatus and method for sharing credentials in an internet of things (IoT) system
US10291595B2 (en) System and method for securely connecting network devices
US20230379169A1 (en) Apparatus and method for cryptographically securing unpowered or non-electronic iot devices
HK1242812A1 (en) Internet of things platforms, apparatuses, and methods
HK1242812B (en) Internet of things platforms, apparatuses, and methods

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 1242812

Country of ref document: HK

GR01 Patent grant
GR01 Patent grant